diff options
| author | zi <zi@FreeBSD.org> | 2011-10-15 10:13:20 +0800 |
|---|---|---|
| committer | zi <zi@FreeBSD.org> | 2011-10-15 10:13:20 +0800 |
| commit | 912c310dc579db0d3c005b8fdbd5a30ea57d9aa3 (patch) | |
| tree | f70f2a8c957a29fd9afeffc40f07cc4011cd7f76 /security | |
| parent | 1012064c94dccc8a801fa6fc2274d05c94b36fa9 (diff) | |
| download | freebsd-ports-gnome-912c310dc579db0d3c005b8fdbd5a30ea57d9aa3.tar.gz freebsd-ports-gnome-912c310dc579db0d3c005b8fdbd5a30ea57d9aa3.tar.zst freebsd-ports-gnome-912c310dc579db0d3c005b8fdbd5a30ea57d9aa3.zip | |
New port: security/sssd
sssd integrates the functionality of pam_krb5 and pam_ldap/nss_ldap
with caching and additional features.
This project provides a set of daemons to manage access to remote
directories and authentication mechanisms, it provides an NSS and
PAM interface toward the system and a pluggable backend system to
connect to multiple different account sources. It is also the
basis to provide client auditing and policy services for projects
like FreeIPA. sssd also features caching, which can allow for
offline use to assist laptop users.
WWW: https://fedorahosted.org/sssd/
PR: ports/161555
Submitted by: Andrew Elble <aweits@rit.edu>
Diffstat (limited to 'security')
38 files changed, 2201 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index 3b98b7cffef7..fb2e5edf42c1 100644 --- a/security/Makefile +++ b/security/Makefile @@ -823,6 +823,7 @@ SUBDIR += sslscan SUBDIR += sslsniffer SUBDIR += sslwrap + SUBDIR += sssd SUBDIR += ssss SUBDIR += sst SUBDIR += starttls diff --git a/security/sssd/Makefile b/security/sssd/Makefile new file mode 100644 index 000000000000..02b50c41602d --- /dev/null +++ b/security/sssd/Makefile @@ -0,0 +1,108 @@ +# New ports collection makefile for: sssd +# Date created: Sep 6 2011 +# Whom: Andrew Elble <aweits@rit.edu> +# +# $FreeBSD$ +# + +PORTNAME= sssd +DISTVERSION= 1.6.1 +CATEGORIES= net +MASTER_SITES= https://fedorahosted.org/released/${PORTNAME}/ + +MAINTAINER= aweits@rit.edu +COMMENT= System Security Services Daemon + +LICENSE= GPLv3 + +LIB_DEPENDS= popt.0:${PORTSDIR}/devel/popt \ + talloc.2:${PORTSDIR}/devel/talloc \ + tevent.0:${PORTSDIR}/devel/tevent \ + xslt.2:${PORTSDIR}/textproc/libxslt \ + tdb.1:${PORTSDIR}/databases/tdb \ + ldb:${PORTSDIR}/databases/ldb \ + cares.2:${PORTSDIR}/dns/c-ares \ + dbus:${PORTSDIR}/devel/dbus \ + dhash.1:${PORTSDIR}/devel/ding-libs \ + pcre.0:${PORTSDIR}/devel/pcre \ + unistring.1:${PORTSDIR}/devel/libunistring \ + nss3.1:${PORTSDIR}/security/nss \ + sasl2.2:${PORTSDIR}/security/cyrus-sasl2 \ + xml2:${PORTSDIR}/textproc/libxml2 +BUILD_DEPENDS= xmlcatalog:${PORTSDIR}/textproc/libxml2 \ + docbook-xsl>=0:${PORTSDIR}/textproc/docbook-xsl +RUN_DEPENDS= xmlcatmgr:${PORTSDIR}/textproc/xmlcatmgr + +GNU_CONFIGURE= yes +CONFIGURE_ARGS= --with-selinux=no --with-semanage=no \ + --with-ldb-lib-dir=${LOCALBASE}/lib/ldb \ + --with-xml-catalog-path=${LOCALBASE}/share/xml/catalog \ + --with-libnl=no --with-init-dir=no \ + --docdir=${WRKDIR}/docs --with-pid-path=/var/run \ + --localstatedir=/var --enable-pammoddir=${PREFIX}/lib \ + --with-db-path=/var/db/sss --with-pipe-path=/var/run/sss \ + --with-pubconf-path=/var/run/sss +CFLAGS+= -L${LOCALBASE}/lib -fstack-protector-all +#DEBUG_FLAGS= -g + +USE_AUTOTOOLS= autoconf automake +USE_LDCONFIG= yes +USE_PYTHON= yes +USE_OPENLDAP= yes +USE_GMAKE= yes +USE_GNOME= pkgconfig +USE_GETTEXT= yes +USE_ICONV= yes +USE_PYTHON= yes + +USE_RC_SUBR= ${PORTNAME} +MAN5= sssd-ipa.5 sssd-krb5.5 sssd-ldap.5 sssd-simple.5 \ + sssd.conf.5 +MAN8= pam_sss.8 sss_cache.8 sss_groupadd.8 sss_groupdel.8 \ + sss_groupmod.8 sss_groupshow.8 sss_obfuscate.8 \ + sss_useradd.8 sss_userdel.8 sss_usermod.8 sssd.8 \ + sssd_krb5_locator_plugin.8 + +.include <bsd.port.pre.mk> + +.if ${OSVERSION} < 800107 +IGNORE= is not supported prior to 8.0-RELEASE +.endif + +post-patch: + @${REINPLACE_CMD} -e 's|SIGCLD|SIGCHLD|g' ${WRKSRC}/src/util/signal.c + @${REINPLACE_CMD} -e '/#define SIZE_T_MAX ((size_t) -1)/d' ${WRKSRC}/src/util/util.h + @${REINPLACE_CMD} -e '/pam_misc/d' ${WRKSRC}/src/sss_client/pam_test_client.c + @${REINPLACE_CMD} -e '/ETIME/d' ${WRKSRC}/src/sss_client/common.c + @${REINPLACE_CMD} -e 's| -lpam_misc||g' ${WRKSRC}/Makefile.am ${WRKSRC}/Makefile.in + @${REINPLACE_CMD} -e 's|security/pam_misc.h||g' ${WRKSRC}/configure* ${WRKSRC}/src/external/pam.m4 + @${REINPLACE_CMD} -e 's|NSS_STATUS_NOTFOUND|NS_NOTFOUND|g' ${WRKSRC}/src/sss_client/common.c + @${REINPLACE_CMD} -e 's|NSS_STATUS_UNAVAIL|NS_UNAVAIL|g' ${WRKSRC}/src/sss_client/common.c + @${REINPLACE_CMD} -e 's|NSS_STATUS_TRYAGAIN|NS_TRYAGAIN|g' ${WRKSRC}/src/sss_client/common.c + @${REINPLACE_CMD} -e 's|NSS_STATUS_SUCCESS|NS_SUCCESS|g' ${WRKSRC}/src/sss_client/common.c + @${REINPLACE_CMD} -e 's|security/pam_ext.h|security/pam_appl.h|g' ${WRKSRC}/src/sss_client/pam_sss.c + @${REINPLACE_CMD} -e 's|security/_pam_macros.h|pam_macros.h|g' ${WRKSRC}/src/sss_client/sss_pam_macros.h + @${REINPLACE_CMD} -e 's|#include <security/pam_modutil.h>||g' ${WRKSRC}/src/sss_client/pam_sss.c + @${REINPLACE_CMD} -e 's|PAM_BAD_ITEM|PAM_USER_UNKNOWN|g' ${WRKSRC}/src/sss_client/pam_sss.c + @${REINPLACE_CMD} -e 's|pam_vsyslog(pamh,|vsyslog(|g' ${WRKSRC}/src/sss_client/pam_sss.c + @${REINPLACE_CMD} -e 's|pam_modutil_getlogin(pamh)|getlogin()|g' ${WRKSRC}/src/sss_client/pam_sss.c + @${REINPLACE_CMD} -e '/..MAKE. ..AM_MAKEFLAGS. install-data-hook/d' ${WRKSRC}/Makefile.in + @${REINPLACE_CMD} -e 's|install-data-hook install-dist_initSCRIPTS|install-dist_initSCRIPTS|g' \ + ${WRKSRC}/Makefile.in ${WRKSRC}/Makefile.am + @${REINPLACE_CMD} -e 's|install-data-hook|notinstall-data-hook|g' ${WRKSRC}/Makefile.in \ + ${WRKSRC}/Makefile.am + @${REINPLACE_CMD} -e 's|libdir)/pkgconfig|prefix)/libdata/pkgconfig|' ${WRKSRC}/Makefile.in \ + ${WRKSRC}/Makefile.am + @${REINPLACE_CMD} -e 's|/etc/sssd/|${ETCDIR}/|g' ${WRKSRC}/src/man/*xml + @${REINPLACE_CMD} -e 's|/etc/openldap/|${PREFIX}/etc/openldap/|g' ${WRKSRC}/src/man/*xml + @${CP} ${FILESDIR}/pam_macros.h ${WRKSRC}/pam_macros.h + @${CP} ${FILESDIR}/bsdnss.c ${WRKSRC}/src/sss_client/bsdnss.c + +post-install: + ${INSTALL_DATA} ${WRKSRC}/src/examples/sssd.conf ${ETCDIR}/sssd.conf.sample + (cd ${PREFIX}/lib && ${LN} -s nss_sss.so.2 nss_sss.so.1) + (cd ${PREFIX}/lib && ${LN} -s pam_sss.so pam_sss.so.5) + @${RM} -f ${PREFIX}/lib/ldb/memberof.la + @${CAT} ${PKGMESSAGE} + +.include <bsd.port.post.mk> diff --git a/security/sssd/distinfo b/security/sssd/distinfo new file mode 100644 index 000000000000..2dc947d7be16 --- /dev/null +++ b/security/sssd/distinfo @@ -0,0 +1,2 @@ +SHA256 (sssd-1.6.1.tar.gz) = ba30d8cf7eae1fd66053b4f11e8e5b98bc6db113cf6d2f33e429f2e21d90ade9 +SIZE (sssd-1.6.1.tar.gz) = 1406047 diff --git a/security/sssd/files/bsdnss.c b/security/sssd/files/bsdnss.c new file mode 100644 index 000000000000..147d4554c670 --- /dev/null +++ b/security/sssd/files/bsdnss.c @@ -0,0 +1,187 @@ +#include <errno.h> +#include <sys/param.h> +#include <netinet/in.h> +#include <pwd.h> +#include <grp.h> +#include <nss.h> +#include <netdb.h> + +extern enum nss_status _nss_sss_getgrent_r(struct group *, char *, size_t, + int *); +extern enum nss_status _nss_sss_getgrnam_r(const char *, struct group *, + char *, size_t, int *); +extern enum nss_status _nss_sss_getgrgid_r(gid_t gid, struct group *, char *, + size_t, int *); +extern enum nss_status _nss_sss_setgrent(void); +extern enum nss_status _nss_sss_endgrent(void); + +extern enum nss_status _nss_sss_getpwent_r(struct passwd *, char *, size_t, + int *); +extern enum nss_status _nss_sss_getpwnam_r(const char *, struct passwd *, + char *, size_t, int *); +extern enum nss_status _nss_sss_getpwuid_r(gid_t gid, struct passwd *, char *, + size_t, int *); +extern enum nss_status _nss_sss_setpwent(void); +extern enum nss_status _nss_sss_endpwent(void); + +extern enum nss_status _nss_sss_gethostbyname_r (const char *name, struct hostent * result, + char *buffer, size_t buflen, int *errnop, + int *h_errnop); + +extern enum nss_status _nss_sss_gethostbyname2_r (const char *name, int af, struct hostent * result, + char *buffer, size_t buflen, int *errnop, + int *h_errnop); +extern enum nss_status _nss_sss_gethostbyaddr_r (struct in_addr * addr, int len, int type, + struct hostent * result, char *buffer, + size_t buflen, int *errnop, int *h_errnop); + +extern enum nss_status _nss_sss_getgroupmembership(const char *uname, gid_t agroup, gid_t *groups, + int maxgrp, int *grpcnt); + + +NSS_METHOD_PROTOTYPE(__nss_compat_getgroupmembership); +NSS_METHOD_PROTOTYPE(__nss_compat_getgrnam_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getgrgid_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getgrent_r); +NSS_METHOD_PROTOTYPE(__nss_compat_setgrent); +NSS_METHOD_PROTOTYPE(__nss_compat_endgrent); + +NSS_METHOD_PROTOTYPE(__nss_compat_getpwnam_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getpwuid_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getpwent_r); +NSS_METHOD_PROTOTYPE(__nss_compat_setpwent); +NSS_METHOD_PROTOTYPE(__nss_compat_endpwent); + +NSS_METHOD_PROTOTYPE(__nss_compat_gethostbyname); +NSS_METHOD_PROTOTYPE(__nss_compat_gethostbyname2); +NSS_METHOD_PROTOTYPE(__nss_compat_gethostbyaddr); + +static ns_mtab methods[] = { +{ NSDB_GROUP, "getgrnam_r", __nss_compat_getgrnam_r, _nss_sss_getgrnam_r }, +{ NSDB_GROUP, "getgrgid_r", __nss_compat_getgrgid_r, _nss_sss_getgrgid_r }, +{ NSDB_GROUP, "getgrent_r", __nss_compat_getgrent_r, _nss_sss_getgrent_r }, +{ NSDB_GROUP, "getgroupmembership", __nss_compat_getgroupmembership, _nss_sss_getgroupmembership }, +{ NSDB_GROUP, "setgrent", __nss_compat_setgrent, _nss_sss_setgrent }, +{ NSDB_GROUP, "endgrent", __nss_compat_endgrent, _nss_sss_endgrent }, + +{ NSDB_PASSWD, "getpwnam_r", __nss_compat_getpwnam_r, _nss_sss_getpwnam_r }, +{ NSDB_PASSWD, "getpwuid_r", __nss_compat_getpwuid_r, _nss_sss_getpwuid_r }, +{ NSDB_PASSWD, "getpwent_r", __nss_compat_getpwent_r, _nss_sss_getpwent_r }, +{ NSDB_PASSWD, "setpwent", __nss_compat_setpwent, _nss_sss_setpwent }, +{ NSDB_PASSWD, "endpwent", __nss_compat_endpwent, _nss_sss_endpwent }, + +// { NSDB_HOSTS, "gethostbyname", __nss_compat_gethostbyname, _nss_sss_gethostbyname_r }, +//{ NSDB_HOSTS, "gethostbyaddr", __nss_compat_gethostbyaddr, _nss_sss_gethostbyaddr_r }, +//{ NSDB_HOSTS, "gethostbyname2", __nss_compat_gethostbyname2, _nss_sss_gethostbyname2_r }, + +{ NSDB_GROUP_COMPAT, "getgrnam_r", __nss_compat_getgrnam_r, _nss_sss_getgrnam_r }, +{ NSDB_GROUP_COMPAT, "getgrgid_r", __nss_compat_getgrgid_r, _nss_sss_getgrgid_r }, +{ NSDB_GROUP_COMPAT, "getgrent_r", __nss_compat_getgrent_r, _nss_sss_getgrent_r }, +{ NSDB_GROUP_COMPAT, "setgrent", __nss_compat_setgrent, _nss_sss_setgrent }, +{ NSDB_GROUP_COMPAT, "endgrent", __nss_compat_endgrent, _nss_sss_endgrent }, + +{ NSDB_PASSWD_COMPAT, "getpwnam_r", __nss_compat_getpwnam_r, _nss_sss_getpwnam_r }, +{ NSDB_PASSWD_COMPAT, "getpwuid_r", __nss_compat_getpwuid_r, _nss_sss_getpwuid_r }, +{ NSDB_PASSWD_COMPAT, "getpwent_r", __nss_compat_getpwent_r, _nss_sss_getpwent_r }, +{ NSDB_PASSWD_COMPAT, "setpwent", __nss_compat_setpwent, _nss_sss_setpwent }, +{ NSDB_PASSWD_COMPAT, "endpwent", __nss_compat_endpwent, _nss_sss_endpwent }, + +}; + + +ns_mtab * +nss_module_register(const char *source, unsigned int *mtabsize, + nss_module_unregister_fn *unreg) +{ + *mtabsize = sizeof(methods)/sizeof(methods[0]); + *unreg = NULL; + return (methods); +} + +int __nss_compat_getgroupmembership(void *retval, void *mdata, va_list ap) +{ + int (*fn)(const char *, gid_t, gid_t *, int, int *); + + const char *uname; + gid_t agroup; + gid_t *groups; + int maxgrp; + int *grpcnt; + int errnop; + enum nss_status status; + + fn = mdata; + uname = va_arg(ap, const char *); + agroup = va_arg(ap, gid_t); + groups = va_arg(ap, gid_t *); + maxgrp = va_arg(ap, int); + grpcnt = va_arg(ap, int *); + status = fn(uname, agroup, groups, maxgrp, grpcnt); + status = __nss_compat_result(status, errnop); + return (status); +} + +int __nss_compat_gethostbyname(void *retval, void *mdata, va_list ap) +{ + enum nss_status (*fn)(const char *, struct hostent *, char *, size_t, int *, int *); + const char *name; + struct hostent *result; + char buffer[1024]; + size_t buflen = 1024; + int errnop; + int h_errnop; + int af; + enum nss_status status; + fn = mdata; + name = va_arg(ap, const char*); + af = va_arg(ap,int); + result = va_arg(ap,struct hostent *); + status = fn(name, result, buffer, buflen, &errnop, &h_errnop); + status = __nss_compat_result(status,errnop); + h_errno = h_errnop; + return (status); +} + +int __nss_compat_gethostbyname2(void *retval, void *mdata, va_list ap) +{ + enum nss_status (*fn)(const char *, struct hostent *, char *, size_t, int *, int *); + const char *name; + struct hostent *result; + char buffer[1024]; + size_t buflen = 1024; + int errnop; + int h_errnop; + int af; + enum nss_status status; + fn = mdata; + name = va_arg(ap, const char*); + af = va_arg(ap,int); + result = va_arg(ap,struct hostent *); + status = fn(name, result, buffer, buflen, &errnop, &h_errnop); + status = __nss_compat_result(status,errnop); + h_errno = h_errnop; + return (status); +} + +int __nss_compat_gethostbyaddr(void *retval, void *mdata, va_list ap) +{ + struct in_addr *addr; + int len; + int type; + struct hostent *result; + char buffer[1024]; + size_t buflen = 1024; + int errnop; + int h_errnop; + enum nss_status (*fn)(struct in_addr *, int, int, struct hostent *, char *, size_t, int *, int *); + enum nss_status status; + fn = mdata; + addr = va_arg(ap, struct in_addr*); + len = va_arg(ap,int); + type = va_arg(ap,int); + result = va_arg(ap, struct hostent*); + status = fn(addr, len, type, result, buffer, buflen, &errnop, &h_errnop); + status = __nss_compat_result(status,errnop); + h_errno = h_errnop; + return (status); +} diff --git a/security/sssd/files/pam_macros.h b/security/sssd/files/pam_macros.h new file mode 100644 index 000000000000..bd107cfb68cb --- /dev/null +++ b/security/sssd/files/pam_macros.h @@ -0,0 +1,196 @@ +#ifndef PAM_MACROS_H +#define PAM_MACROS_H + +/* + * All kind of macros used by PAM, but usable in some other + * programs too. + * Organized by Cristian Gafton <gafton@redhat.com> + */ + +/* a 'safe' version of strdup */ + +#include <stdlib.h> +#include <string.h> + +#define x_strdup(s) ( (s) ? strdup(s):NULL ) + +/* Good policy to strike out passwords with some characters not just + free the memory */ + +#define _pam_overwrite(x) \ +do { \ + register char *__xx__; \ + if ((__xx__=(x))) \ + while (*__xx__) \ + *__xx__++ = '\0'; \ +} while (0) + +#define _pam_overwrite_n(x,n) \ +do { \ + register char *__xx__; \ + register unsigned int __i__ = 0; \ + if ((__xx__=(x))) \ + for (;__i__<n; __i__++) \ + __xx__[__i__] = 0; \ +} while (0) + +/* + * Don't just free it, forget it too. + */ + +#define _pam_drop(X) \ +do { \ + if (X) { \ + free(X); \ + X=NULL; \ + } \ +} while (0) + +#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ +do { \ + int reply_i; \ + \ + for (reply_i=0; reply_i<replies; ++reply_i) { \ + if (reply[reply_i].resp) { \ + _pam_overwrite(reply[reply_i].resp); \ + free(reply[reply_i].resp); \ + } \ + } \ + if (reply) \ + free(reply); \ +} while (0) + +/* some debugging code */ + +#ifdef DEBUG + +/* + * This provides the necessary function to do debugging in PAM. + * Cristian Gafton <gafton@redhat.com> + */ + +#include <stdio.h> +#include <sys/types.h> +#include <stdarg.h> +#include <errno.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <unistd.h> + +/* + * This is for debugging purposes ONLY. DO NOT use on live systems !!! + * You have been warned :-) - CG + * + * to get automated debugging to the log file, it must be created manually. + * _PAM_LOGFILE must exist and be writable to the programs you debug. + */ + +#ifndef _PAM_LOGFILE +#define _PAM_LOGFILE "/var/run/pam-debug.log" +#endif + +static void _pam_output_debug_info(const char *file, const char *fn + , const int line) +{ + FILE *logfile; + int must_close = 1, fd; + +#ifdef O_NOFOLLOW + if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_NOFOLLOW|O_APPEND)) != -1) { +#else + if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_APPEND)) != -1) { +#endif + if (!(logfile = fdopen(fd,"a"))) { + logfile = stderr; + must_close = 0; + close(fd); + } + } else { + logfile = stderr; + must_close = 0; + } + fprintf(logfile,"[%s:%s(%d)] ",file, fn, line); + fflush(logfile); + if (must_close) + fclose(logfile); +} + +static void _pam_output_debug(const char *format, ...) +{ + va_list args; + FILE *logfile; + int must_close = 1, fd; + + va_start(args, format); + +#ifdef O_NOFOLLOW + if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_NOFOLLOW|O_APPEND)) != -1) { +#else + if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_APPEND)) != -1) { +#endif + if (!(logfile = fdopen(fd,"a"))) { + logfile = stderr; + must_close = 0; + close(fd); + } + } else { + logfile = stderr; + must_close = 0; + } + vfprintf(logfile, format, args); + fprintf(logfile, "\n"); + fflush(logfile); + if (must_close) + fclose(logfile); + + va_end(args); +} + +#define D(x) do { \ + _pam_output_debug_info(__FILE__, __FUNCTION__, __LINE__); \ + _pam_output_debug x ; \ +} while (0) + +#define _pam_show_mem(X,XS) do { \ + int i; \ + register unsigned char *x; \ + x = (unsigned char *)X; \ + fprintf(stderr, " <start at %p>\n", X); \ + for (i = 0; i < XS ; ++x, ++i) { \ + fprintf(stderr, " %02X. <%p:%02X>\n", i, x, *x); \ + } \ + fprintf(stderr, " <end for %p after %d bytes>\n", X, XS); \ +} while (0) + +#define _pam_show_reply(/* struct pam_response * */reply, /* int */replies) \ +do { \ + int reply_i; \ + setbuf(stderr, NULL); \ + fprintf(stderr, "array at %p of size %d\n",reply,replies); \ + fflush(stderr); \ + if (reply) { \ + for (reply_i = 0; reply_i < replies; reply_i++) { \ + fprintf(stderr, " elem# %d at %p: resp = %p, retcode = %d\n", \ + reply_i, reply+reply_i, reply[reply_i].resp, \ + reply[reply_i].resp, _retcode); \ + fflush(stderr); \ + if (reply[reply_i].resp) { \ + fprintf(stderr, " resp[%d] = '%s'\n", \ + strlen(reply[reply_i].resp), reply[reply_i].resp); \ + fflush(stderr); \ + } \ + } \ + } \ + fprintf(stderr, "done here\n"); \ + fflush(stderr); \ +} while (0) + +#else + +#define D(x) do { } while (0) +#define _pam_show_mem(X,XS) do { } while (0) +#define _pam_show_reply(reply, replies) do { } while (0) + +#endif /* DEBUG */ + +#endif /* PAM_MACROS_H */ diff --git a/security/sssd/files/patch-Makefile.am b/security/sssd/files/patch-Makefile.am new file mode 100644 index 000000000000..09c82b62d726 --- /dev/null +++ b/security/sssd/files/patch-Makefile.am @@ -0,0 +1,61 @@ +--- ./Makefile.am.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./Makefile.am 2011-10-13 12:13:42.000000000 -0400 +@@ -33,7 +33,7 @@ + systemdunitdir = @systemdunitdir@ + logpath = @logpath@ + pubconfpath = @pubconfpath@ +-pkgconfigdir = $(libdir)/pkgconfig ++pkgconfigdir = $(prefix)/libdata/pkgconfig + + AM_CFLAGS = + if WANT_AUX_INFO +@@ -753,21 +753,22 @@ + + noinst_PROGRAMS = pam_test_client + pam_test_client_SOURCES = src/sss_client/pam_test_client.c +-pam_test_client_LDFLAGS = -lpam -lpam_misc ++pam_test_client_LDFLAGS = -lpam + + #################### + # Client Libraries # + #################### + +-nsslib_LTLIBRARIES = libnss_sss.la +-libnss_sss_la_SOURCES = \ ++nsslib_LTLIBRARIES = nss_sss.la ++nss_sss_la_SOURCES = \ + src/sss_client/common.c \ ++ src/sss_client/bsdnss.c \ + src/sss_client/nss_passwd.c \ + src/sss_client/nss_group.c \ + src/sss_client/nss_netgroup.c \ + src/sss_client/sss_cli.h \ + src/sss_client/nss_compat.h +-libnss_sss_la_LDFLAGS = \ ++nss_sss_la_LDFLAGS = \ + -module \ + -version-info 2:0:0 \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports +@@ -780,6 +781,7 @@ + src/sss_client/sss_pam_macros.h + + pam_sss_la_LDFLAGS = \ ++ -lintl \ + -lpam \ + -module \ + -avoid-version \ +@@ -1122,10 +1124,10 @@ + mkdir -p $(DESTDIR)$(initdir) + endif + +-install-data-hook: +- rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \ +- $(DESTDIR)/$(nsslibdir)/libnss_sss.so +- mv $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 ++notnotnotnotnotnotnotnotnotnotnotnotnotnotnotnotnotinstall-data-hook: ++ rm $(DESTDIR)/$(nsslibdir)/nss_sss.so.2 \ ++ $(DESTDIR)/$(nsslibdir)/nss_sss.so ++ mv $(DESTDIR)/$(nsslibdir)/nss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/nss_sss.so.2 + + uninstall-hook: + if [ -f $(abs_builddir)/src/config/.files ]; then \ diff --git a/security/sssd/files/patch-src__confdb__confdb.c b/security/sssd/files/patch-src__confdb__confdb.c new file mode 100644 index 000000000000..50fd9bbea268 --- /dev/null +++ b/security/sssd/files/patch-src__confdb__confdb.c @@ -0,0 +1,14 @@ +--- ./src/confdb/confdb.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/confdb/confdb.c 2011-10-13 12:15:03.000000000 -0400 +@@ -28,6 +28,11 @@ + #include "util/strtonum.h" + #include "db/sysdb.h" + ++char *strchrnul(const char *s, int ch) { ++ char *ret = strchr(s, ch); ++ return ret == NULL ? ((char *)s) + strlen(s) : ret; ++} ++ + #define CONFDB_ZERO_CHECK_OR_JUMP(var, ret, err, label) do { \ + if (!var) { \ + ret = err; \ diff --git a/security/sssd/files/patch-src__monitor__monitor.c b/security/sssd/files/patch-src__monitor__monitor.c new file mode 100644 index 000000000000..aa86eeb3bca0 --- /dev/null +++ b/security/sssd/files/patch-src__monitor__monitor.c @@ -0,0 +1,24 @@ +--- ./src/monitor/monitor.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/monitor/monitor.c 2011-10-13 12:15:03.000000000 -0400 +@@ -57,6 +57,10 @@ + + int cmdline_debug_level; + ++errno_t monitor_config_file_fallback(TALLOC_CTX *mem_ctx, ++ struct mt_ctx *ctx, ++ const char *file, ++ monitor_reconf_fn fn); + struct svc_spy; + + struct mt_svc { +@@ -1606,10 +1610,6 @@ + talloc_free(tmp_ctx); + } + +-errno_t monitor_config_file_fallback(TALLOC_CTX *mem_ctx, +- struct mt_ctx *ctx, +- const char *file, +- monitor_reconf_fn fn); + static void rewatch_config_file(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) diff --git a/security/sssd/files/patch-src__providers__data_provider_be.c b/security/sssd/files/patch-src__providers__data_provider_be.c new file mode 100644 index 000000000000..af962a437c96 --- /dev/null +++ b/security/sssd/files/patch-src__providers__data_provider_be.c @@ -0,0 +1,29 @@ +--- ./src/providers/data_provider_be.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/data_provider_be.c 2011-10-13 12:15:03.000000000 -0400 +@@ -512,7 +512,7 @@ + return EIO; + } + +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + pd->domain = talloc_strdup(pd, becli->bectx->domain->name); + if (pd->domain == NULL) { + talloc_free(be_req); +@@ -1013,7 +1013,7 @@ + if (!handle) { + DEBUG(0, ("Unable to load %s module with path (%s), error: %s\n", + mod_name, path, dlerror())); +- ret = ELIBACC; ++ ret = ENOENT; + goto done; + } + +@@ -1033,7 +1033,7 @@ + } else { + DEBUG(0, ("Unable to load init fn %s from module %s, error: %s\n", + mod_init_fn_name, mod_name, dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + } + goto done; + } diff --git a/security/sssd/files/patch-src__providers__fail_over.c b/security/sssd/files/patch-src__providers__fail_over.c new file mode 100644 index 000000000000..07782702e2b9 --- /dev/null +++ b/security/sssd/files/patch-src__providers__fail_over.c @@ -0,0 +1,27 @@ +--- ./src/providers/fail_over.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/fail_over.c 2011-10-13 12:15:03.000000000 -0400 +@@ -1191,7 +1191,7 @@ + *******************************************************************/ + struct resolve_get_domain_state { + char *fqdn; +- char hostname[HOST_NAME_MAX]; ++ char hostname[_POSIX_HOST_NAME_MAX]; + }; + + static void resolve_get_domain_done(struct tevent_req *subreq); +@@ -1211,13 +1211,13 @@ + return NULL; + } + +- ret = gethostname(state->hostname, HOST_NAME_MAX); ++ ret = gethostname(state->hostname, _POSIX_HOST_NAME_MAX); + if (ret) { + ret = errno; + DEBUG(2, ("gethostname() failed: [%d]: %s\n",ret, strerror(ret))); + return NULL; + } +- state->hostname[HOST_NAME_MAX-1] = '\0'; ++ state->hostname[_POSIX_HOST_NAME_MAX-1] = '\0'; + DEBUG(7, ("Host name is: %s\n", state->hostname)); + + subreq = resolv_gethostbyname_send(state, ev, resolv, diff --git a/security/sssd/files/patch-src__providers__ipa__ipa_common.c b/security/sssd/files/patch-src__providers__ipa__ipa_common.c new file mode 100644 index 000000000000..b3ac2f27c938 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ipa__ipa_common.c @@ -0,0 +1,28 @@ +--- ./src/providers/ipa/ipa_common.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/ipa/ipa_common.c 2011-10-13 12:15:03.000000000 -0400 +@@ -191,7 +191,7 @@ + char *ipa_hostname; + int ret; + int i; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + + opts = talloc_zero(memctx, struct ipa_options); + if (!opts) return ENOMEM; +@@ -220,14 +220,14 @@ + + ipa_hostname = dp_opt_get_string(opts->basic, IPA_HOSTNAME); + if (ipa_hostname == NULL) { +- ret = gethostname(hostname, HOST_NAME_MAX); ++ ret = gethostname(hostname, _POSIX_HOST_NAME_MAX); + if (ret != EOK) { + DEBUG(1, ("gethostname failed [%d][%s].\n", errno, + strerror(errno))); + ret = errno; + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + DEBUG(9, ("Setting ipa_hostname to [%s].\n", hostname)); + ret = dp_opt_set_string(opts->basic, IPA_HOSTNAME, hostname); + if (ret != EOK) { diff --git a/security/sssd/files/patch-src__providers__krb5__krb5_child.c b/security/sssd/files/patch-src__providers__krb5__krb5_child.c new file mode 100644 index 000000000000..5664e0c4c782 --- /dev/null +++ b/security/sssd/files/patch-src__providers__krb5__krb5_child.c @@ -0,0 +1,377 @@ +--- ./src/providers/krb5/krb5_child.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/krb5/krb5_child.c 2011-10-13 12:15:03.000000000 -0400 +@@ -39,6 +39,15 @@ + + #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw" + ++typedef struct _krb5_ticket_times { ++ krb5_timestamp authtime; /* XXX ? should ktime in KDC_REP == authtime ++ in ticket? otherwise client can't get this */ ++ krb5_timestamp starttime; /* optional in ticket, if not present, ++ use authtime */ ++ krb5_timestamp endtime; ++ krb5_timestamp renew_till; ++} krb5_ticket_times; ++ + struct krb5_child_ctx { + /* opts taken from kinit */ + /* in seconds */ +@@ -100,10 +109,10 @@ + + static krb5_context krb5_error_ctx; + static const char *__krb5_error_msg; +-#define KRB5_DEBUG(level, krb5_error) do { \ +- __krb5_error_msg = sss_krb5_get_error_message(krb5_error_ctx, krb5_error); \ ++#define KRB5_DEBUG(level, krb5_error, ctx) do { \ ++ __krb5_error_msg = sss_krb5_get_error_message(ctx, krb5_error); \ + DEBUG(level, ("%d: [%d][%s]\n", __LINE__, krb5_error, __krb5_error_msg)); \ +- sss_krb5_free_error_message(krb5_error_ctx, __krb5_error_msg); \ ++ sss_krb5_free_error_message(ctx, __krb5_error_msg); \ + } while(0); + + static void sss_krb5_expire_callback_func(krb5_context context, void *data, +@@ -267,13 +276,13 @@ + + kerr = krb5_cc_resolve(ctx, tmp_ccname, &tmp_cc); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + + kerr = krb5_cc_initialize(ctx, tmp_cc, princ); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + if (fd != -1) { +@@ -284,7 +293,7 @@ + if (creds == NULL) { + kerr = create_empty_cred(ctx, princ, &l_cred); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + } else { +@@ -293,13 +302,13 @@ + + kerr = krb5_cc_store_cred(ctx, tmp_cc, l_cred); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + + kerr = krb5_cc_close(ctx, tmp_cc); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + tmp_cc = NULL; +@@ -420,7 +429,7 @@ + talloc_zfree(msg); + } + } else { +- krb5_msg = sss_krb5_get_error_message(krb5_error_ctx, kerr); ++ krb5_msg = sss_krb5_get_error_message(kr->ctx, kerr); + if (krb5_msg == NULL) { + DEBUG(1, ("sss_krb5_get_error_message failed.\n")); + return NULL; +@@ -429,7 +438,7 @@ + ret = pam_add_response(kr->pd, SSS_PAM_SYSTEM_INFO, + strlen(krb5_msg) + 1, + (const uint8_t *) krb5_msg); +- sss_krb5_free_error_message(krb5_error_ctx, krb5_msg); ++ sss_krb5_free_error_message(kr->ctx, krb5_msg); + } + if (ret != EOK) { + DEBUG(1, ("pam_add_response failed.\n")); +@@ -527,7 +536,7 @@ + break; + } + +- kerr = krb5_free_keytab_entry_contents(kr->ctx, &entry); ++ kerr = krb5_kt_free_entry(kr->ctx, &entry); + if (kerr != 0) { + DEBUG(1, ("Failed to free keytab entry.\n")); + } +@@ -575,7 +584,7 @@ + if (krb5_kt_close(kr->ctx, keytab) != 0) { + DEBUG(1, ("krb5_kt_close failed")); + } +- if (krb5_free_keytab_entry_contents(kr->ctx, &entry) != 0) { ++ if (krb5_kt_free_entry(kr->ctx, &entry) != 0) { + DEBUG(1, ("Failed to free keytab entry.\n")); + } + if (principal != NULL) { +@@ -605,13 +614,13 @@ + kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL, + &options); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + return kerr; + } + + kerr = create_ccache_file(ctx, princ, ccname, &creds); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + kerr = 0; +@@ -633,21 +642,21 @@ + sss_krb5_expire_callback_func, + kr); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + DEBUG(1, ("Failed to set expire callback, continue without.\n")); + } + kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, + password, sss_krb5_prompter, kr, 0, + NULL, kr->options); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + return kerr; + } + + if (kr->validate) { + kerr = validate_tgt(kr); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + return kerr; + } + +@@ -668,7 +677,7 @@ + + kerr = create_ccache_file(kr->ctx, kr->princ, kr->ccname, kr->creds); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto done; + } + +@@ -692,7 +701,7 @@ + krb5_error_code kerr = 0; + char *pass_str = NULL; + char *newpass_str = NULL; +- int pam_status = PAM_SYSTEM_ERR; ++ int pam_status = PAM_SERVICE_ERR; + int result_code = -1; + krb5_data result_code_string; + krb5_data result_string; +@@ -734,7 +743,7 @@ + changepw_princ, + kr->options); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + if (kerr == KRB5_KDC_UNREACH) { + pam_status = PAM_AUTHINFO_UNAVAIL; + } +@@ -773,7 +782,7 @@ + + if (kerr != 0 || result_code != 0) { + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + } else { + kerr = KRB5KRB_ERR_GENERIC; + } +@@ -825,7 +834,7 @@ + memset(kr->pd->newauthtok, 0, kr->pd->newauthtok_size); + + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + if (kerr == KRB5_KDC_UNREACH) { + pam_status = PAM_AUTHINFO_UNAVAIL; + } +@@ -846,7 +855,7 @@ + krb5_error_code kerr = 0; + char *pass_str = NULL; + char *changepw_princ = NULL; +- int pam_status = PAM_SYSTEM_ERR; ++ int pam_status = PAM_SERVICE_ERR; + + if (kr->pd->authtok_type != SSS_AUTHTOK_TYPE_PASSWORD) { + pam_status = PAM_CRED_INSUFFICIENT; +@@ -881,7 +890,7 @@ + kr->options, + NULL, NULL); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + DEBUG(1, ("Failed to unset expire callback, continue ...\n")); + } + kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, +@@ -899,7 +908,7 @@ + memset(kr->pd->authtok, 0, kr->pd->authtok_size); + + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + switch (kerr) { + case KRB5_KDC_UNREACH: + pam_status = PAM_AUTHINFO_UNAVAIL; +@@ -911,7 +920,7 @@ + pam_status = PAM_CRED_ERR; + break; + default: +- pam_status = PAM_SYSTEM_ERR; ++ pam_status = PAM_SERVICE_ERR; + } + } + +@@ -981,13 +990,13 @@ + + kerr = krb5_cc_resolve(kr->ctx, ccname, &ccache); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto done; + } + + kerr = krb5_get_renewed_creds(kr->ctx, kr->creds, kr->princ, ccache, NULL); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + if (kerr == KRB5_KDC_UNREACH) { + status = PAM_AUTHINFO_UNAVAIL; + } +@@ -997,7 +1006,7 @@ + if (kr->validate) { + kerr = validate_tgt(kr); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto done; + } + +@@ -1019,13 +1028,13 @@ + + kerr = krb5_cc_initialize(kr->ctx, ccache, kr->princ); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto done; + } + + kerr = krb5_cc_store_cred(kr->ctx, ccache, kr->creds); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto done; + } + +@@ -1059,8 +1068,8 @@ + + ret = create_ccache_file(kr->ctx, kr->princ, kr->ccname, NULL); + if (ret != 0) { +- KRB5_DEBUG(1, ret); +- pam_status = PAM_SYSTEM_ERR; ++ KRB5_DEBUG(1, ret, kr->ctx); ++ pam_status = PAM_SERVICE_ERR; + } + + ret = sendresponse(fd, ret, pam_status, kr); +@@ -1375,19 +1384,20 @@ + + kerr = krb5_init_context(&kr->ctx); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ /* FIXME: This sucks */ ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + + kerr = krb5_parse_name(kr->ctx, kr->upn, &kr->princ); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + + kerr = krb5_unparse_name(kr->ctx, kr->princ, &kr->name); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + +@@ -1400,18 +1410,18 @@ + + kerr = sss_krb5_get_init_creds_opt_alloc(kr->ctx, &kr->options); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + + /* A prompter is used to catch messages about when a password will + * expired. The library shall not use the prompter to ask for a new password + * but shall return KRB5KDC_ERR_KEY_EXP. */ +- krb5_get_init_creds_opt_set_change_password_prompt(kr->options, 0); +- if (kerr != 0) { +- KRB5_DEBUG(1, kerr); +- goto failed; +- } ++ // krb5_get_init_creds_opt_set_change_password_prompt(kr->options, 0); ++ // if (kerr != 0) { ++ // KRB5_DEBUG(1, kerr, kr->ctx); ++ // goto failed; ++ // } + + lifetime_str = getenv(SSSD_KRB5_RENEWABLE_LIFETIME); + if (lifetime_str == NULL) { +@@ -1422,7 +1432,7 @@ + if (kerr != 0) { + DEBUG(1, ("krb5_string_to_deltat failed for [%s].\n", + lifetime_str)); +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + krb5_get_init_creds_opt_set_renew_life(kr->options, lifetime); +@@ -1437,7 +1447,7 @@ + if (kerr != 0) { + DEBUG(1, ("krb5_string_to_deltat failed for [%s].\n", + lifetime_str)); +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + krb5_get_init_creds_opt_set_tkt_life(kr->options, lifetime); +@@ -1486,7 +1496,7 @@ + kr, &kr->fast_ccname); + if (kerr != 0) { + DEBUG(1, ("check_fast_ccache failed.\n")); +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + +@@ -1496,7 +1506,7 @@ + if (kerr != 0) { + DEBUG(1, ("sss_krb5_get_init_creds_opt_set_fast_ccache_name " + "failed.\n")); +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + +@@ -1507,7 +1517,7 @@ + if (kerr != 0) { + DEBUG(1, ("sss_krb5_get_init_creds_opt_set_fast_flags " + "failed.\n")); +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + } diff --git a/security/sssd/files/patch-src__providers__krb5__krb5_utils.c b/security/sssd/files/patch-src__providers__krb5__krb5_utils.c new file mode 100644 index 000000000000..60a59e873a67 --- /dev/null +++ b/security/sssd/files/patch-src__providers__krb5__krb5_utils.c @@ -0,0 +1,17 @@ +--- ./src/providers/krb5/krb5_utils.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/krb5/krb5_utils.c 2011-10-13 12:15:03.000000000 -0400 +@@ -435,10 +435,10 @@ + } + + server_name = talloc_asprintf(NULL, "krbtgt/%.*s@%.*s", +- krb5_princ_realm(ctx, client_princ)->length, +- krb5_princ_realm(ctx, client_princ)->data, +- krb5_princ_realm(ctx, client_princ)->length, +- krb5_princ_realm(ctx, client_princ)->data); ++ krb5_realm_length(krb5_princ_realm(ctx, client_princ)), ++ krb5_princ_realm(ctx, client_princ), ++ krb5_realm_length(krb5_princ_realm(ctx, client_princ)), ++ krb5_princ_realm(ctx, client_princ)); + if (server_name == NULL) { + kerr = KRB5_CC_NOMEM; + DEBUG(1, ("talloc_asprintf failed.\n")); diff --git a/security/sssd/files/patch-src__providers__ldap__ldap_auth.c b/security/sssd/files/patch-src__providers__ldap__ldap_auth.c new file mode 100644 index 000000000000..6e035e808891 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__ldap_auth.c @@ -0,0 +1,197 @@ +--- ./src/providers/ldap/ldap_auth.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/ldap/ldap_auth.c 2011-10-13 12:15:03.000000000 -0400 +@@ -37,7 +37,6 @@ + #include <sys/time.h> + #include <strings.h> + +-#include <shadow.h> + #include <security/pam_modules.h> + + #include "util/util.h" +@@ -46,6 +45,7 @@ + #include "providers/ldap/ldap_common.h" + #include "providers/ldap/sdap_async.h" + ++ + /* MIT Kerberos has the same hardcoded warning interval of 7 days. Due to the + * fact that using the expiration time of a Kerberos password with LDAP + * authentication is presumably a rare case a separate config option is not +@@ -59,6 +59,22 @@ + PWEXPIRE_SHADOW + }; + ++struct spwd ++{ ++ char *sp_namp; /* Login name. */ ++ char *sp_pwdp; /* Encrypted password. */ ++ long int sp_lstchg; /* Date of last change. */ ++ long int sp_min; /* Minimum number of days between changes. */ ++ long int sp_max; /* Maximum number of days between changes. */ ++ long int sp_warn; /* Number of days to warn user to change ++ the password. */ ++ long int sp_inact; /* Number of days the account may be ++ inactive. */ ++ long int sp_expire; /* Number of days since 1970-01-01 until ++ account expires. */ ++ unsigned long int sp_flag; /* Reserved. */ ++}; ++ + static errno_t add_expired_warning(struct pam_data *pd, long exp_time) + { + int ret; +@@ -111,17 +127,16 @@ + return EINVAL; + } + ++ tzset(); + expire_time = mktime(&tm); + if (expire_time == -1) { + DEBUG(1, ("mktime failed to convert [%s].\n", expire_date)); + return EINVAL; + } + +- tzset(); +- expire_time -= timezone; +- DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s] timezone [%d] " +- "daylight [%d] now [%d] expire_time [%d].\n", tzname[0], +- tzname[1], timezone, daylight, now, expire_time)); ++ DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s]" ++ "now [%d] expire_time [%d].\n", tzname[0], ++ tzname[1], now, expire_time)); + + if (difftime(now, expire_time) > 0.0) { + DEBUG(4, ("Kerberos password expired.\n")); +@@ -742,7 +757,7 @@ + + DEBUG(2, ("starting password change request for user [%s].\n", pd->user)); + +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + + if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) { + DEBUG(2, ("chpass target was called by wrong pam command.\n")); +@@ -799,7 +814,7 @@ + &pw_expire_type, &pw_expire_data); + talloc_zfree(req); + if (ret) { +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + +@@ -819,7 +834,7 @@ + &result); + if (ret != EOK) { + DEBUG(1, ("check_pwexpire_shadow failed.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -828,14 +843,14 @@ + &result); + if (ret != EOK) { + DEBUG(1, ("check_pwexpire_kerberos failed.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + + if (result == SDAP_AUTH_PW_EXPIRED) { + DEBUG(1, ("LDAP provider cannot change kerberos " + "passwords.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -844,7 +859,7 @@ + break; + default: + DEBUG(1, ("Unknow pasword expiration type.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + } +@@ -884,7 +899,7 @@ + dp_err = DP_ERR_OFFLINE; + break; + default: +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + } + + done: +@@ -905,7 +920,7 @@ + ret = sdap_exop_modify_passwd_recv(req, state, &result, &user_error_message); + talloc_zfree(req); + if (ret) { +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + +@@ -964,7 +979,7 @@ + goto done; + } + +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: +@@ -1021,7 +1036,7 @@ + &pw_expire_type, &pw_expire_data); + talloc_zfree(req); + if (ret != EOK) { +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + dp_err = DP_ERR_FATAL; + goto done; + } +@@ -1033,7 +1048,7 @@ + state->pd, &result); + if (ret != EOK) { + DEBUG(1, ("check_pwexpire_shadow failed.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -1042,7 +1057,7 @@ + state->pd, &result); + if (ret != EOK) { + DEBUG(1, ("check_pwexpire_kerberos failed.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -1050,7 +1065,7 @@ + ret = check_pwexpire_ldap(state->pd, pw_expire_data, &result); + if (ret != EOK) { + DEBUG(1, ("check_pwexpire_ldap failed.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -1058,7 +1073,7 @@ + break; + default: + DEBUG(1, ("Unknow pasword expiration type.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + } +@@ -1080,7 +1095,7 @@ + state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; + break; + default: +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + dp_err = DP_ERR_FATAL; + } + diff --git a/security/sssd/files/patch-src__providers__ldap__ldap_child.c b/security/sssd/files/patch-src__providers__ldap__ldap_child.c new file mode 100644 index 000000000000..f4ad031850f7 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__ldap_child.c @@ -0,0 +1,43 @@ +--- ./src/providers/ldap/ldap_child.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/ldap/ldap_child.c 2011-10-13 12:15:03.000000000 -0400 +@@ -165,7 +165,7 @@ + } + + realm_name = talloc_strdup(memctx, default_realm); +- krb5_free_default_realm(context, default_realm); ++ free(default_realm); + if (!realm_name) { + krberr = KRB5KRB_ERR_GENERIC; + goto done; +@@ -279,20 +279,20 @@ + goto done; + } + +- krberr = krb5_get_time_offsets(context, &kdc_time_offset, &kdc_time_offset_usec); +- if (krberr) { +- DEBUG(2, ("Failed to get KDC time offset: %s\n", +- sss_krb5_get_error_message(context, krberr))); +- kdc_time_offset = 0; +- } else { +- if (kdc_time_offset_usec > 0) { +- kdc_time_offset++; +- } +- } ++ // krberr = krb5_get_time_offsets(context, &kdc_time_offset, &kdc_time_offset_usec); ++ // if (krberr) { ++ // DEBUG(2, ("Failed to get KDC time offset: %s\n", ++ // sss_krb5_get_error_message(context, krberr))); ++ // kdc_time_offset = 0; ++ // } else { ++ // if (kdc_time_offset_usec > 0) { ++ // kdc_time_offset++; ++ // } ++ // } + + krberr = 0; + *ccname_out = ccname; +- *expire_time_out = my_creds.times.endtime - kdc_time_offset; ++ *expire_time_out = my_creds.times.endtime; + + done: + if (keytab) krb5_kt_close(context, keytab); diff --git a/security/sssd/files/patch-src__providers__ldap__ldap_common.c b/security/sssd/files/patch-src__providers__ldap__ldap_common.c new file mode 100644 index 000000000000..400b33e6a3bc --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__ldap_common.c @@ -0,0 +1,11 @@ +--- ./src/providers/ldap/ldap_common.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/ldap/ldap_common.c 2011-10-13 12:15:03.000000000 -0400 +@@ -749,7 +749,7 @@ + } + + realm = talloc_strdup(mem_ctx, krb5_realm); +- krb5_free_default_realm(context, krb5_realm); ++ free(krb5_realm); + if (!realm) { + DEBUG(0, ("Out of memory\n")); + goto done; diff --git a/security/sssd/files/patch-src__providers__ldap__sdap_access.c b/security/sssd/files/patch-src__providers__ldap__sdap_access.c new file mode 100644 index 000000000000..d27caf17ee99 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__sdap_access.c @@ -0,0 +1,177 @@ +--- ./src/providers/ldap/sdap_access.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/ldap/sdap_access.c 2011-10-13 12:15:03.000000000 -0400 +@@ -22,9 +22,7 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +-#define _XOPEN_SOURCE 500 /* for strptime() */ + #include <time.h> +-#undef _XOPEN_SOURCE + #include <sys/param.h> + #include <security/pam_modules.h> + #include <talloc.h> +@@ -119,7 +117,7 @@ + pd); + if (req == NULL) { + DEBUG(1, ("Unable to start sdap_access request\n")); +- sdap_access_reply(breq, PAM_SYSTEM_ERR); ++ sdap_access_reply(breq, PAM_SERVICE_ERR); + return; + } + +@@ -157,7 +155,7 @@ + + state->be_ctx = be_ctx; + state->pd = pd; +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + state->ev = ev; + state->access_ctx = access_ctx; + state->current_rule = 0; +@@ -502,18 +500,17 @@ + return true; + } + ++ tzset(); + expire_time = mktime(&tm); + if (expire_time == -1) { + DEBUG(1, ("mktime failed to convert [%s].\n", exp_time_str)); + return true; + } + +- tzset(); +- expire_time -= timezone; + now = time(NULL); +- DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s] timezone [%d] " +- "daylight [%d] now [%d] expire_time [%d].\n", tzname[0], +- tzname[1], timezone, daylight, now, expire_time)); ++ DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s] " ++ "now [%d] expire_time [%d].\n", tzname[0], ++ tzname[1], now, expire_time)); + + if (difftime(now, expire_time) > 0.0) { + DEBUG(4, ("NDS account expired.\n")); +@@ -663,7 +660,7 @@ + return NULL; + } + +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + + expire = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic, + SDAP_ACCOUNT_EXPIRE_POLICY); +@@ -747,7 +744,7 @@ + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(1, ("Error retrieving access check result.\n")); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + tevent_req_error(req, ret); + return; + } +@@ -807,7 +804,7 @@ + state->filter = NULL; + state->be_ctx = be_ctx; + state->username = username; +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + state->sdap_ctx = access_ctx->id_ctx; + state->ev = ev; + state->access_ctx = access_ctx; +@@ -953,7 +950,7 @@ + SDAP_SEARCH_TIMEOUT)); + if (subreq == NULL) { + DEBUG(1, ("Could not start LDAP communication\n")); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + tevent_req_error(req, EIO); + return; + } +@@ -984,13 +981,13 @@ + if (ret == EOK) { + return; + } +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + } else if (dp_error == DP_ERR_OFFLINE) { + sdap_access_filter_decide_offline(req); + } else { + DEBUG(1, ("sdap_get_generic_send() returned error [%d][%s]\n", + ret, strerror(ret))); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + } + + goto done; +@@ -1009,7 +1006,7 @@ + else if (results == NULL) { + DEBUG(1, ("num_results > 0, but results is NULL\n")); + ret = EIO; +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + goto done; + } + else if (num_results > 1) { +@@ -1018,7 +1015,7 @@ + */ + DEBUG(1, ("Received multiple replies\n")); + ret = EIO; +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + goto done; + } + else { /* Ok, we got a single reply */ +@@ -1106,7 +1103,7 @@ + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(1, ("Error retrieving access check result.\n")); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + tevent_req_error(req, ret); + return; + } +@@ -1247,7 +1244,7 @@ + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(1, ("Error retrieving access check result.\n")); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + tevent_req_error(req, ret); + return; + } +@@ -1274,7 +1271,7 @@ + struct ldb_message_element *el; + unsigned int i; + char *host; +- char hostname[HOST_NAME_MAX+1]; ++ char hostname[_POSIX_HOST_NAME_MAX+1]; + + req = tevent_req_create(mem_ctx, &state, struct sdap_access_host_ctx); + if (!req) { +@@ -1370,7 +1367,7 @@ + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(1, ("Error retrieving access check result.\n")); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + tevent_req_error(req, ret); + return; + } +@@ -1395,7 +1392,7 @@ + static void sdap_access_done(struct tevent_req *req) + { + errno_t ret; +- int pam_status = PAM_SYSTEM_ERR; ++ int pam_status = PAM_SERVICE_ERR; + struct be_req *breq = + tevent_req_callback_data(req, struct be_req); + +@@ -1403,7 +1400,7 @@ + talloc_zfree(req); + if (ret != EOK) { + DEBUG(1, ("Error retrieving access check result.\n")); +- pam_status = PAM_SYSTEM_ERR; ++ pam_status = PAM_SERVICE_ERR; + } + + sdap_access_reply(breq, pam_status); diff --git a/security/sssd/files/patch-src__providers__proxy__proxy_init.c b/security/sssd/files/patch-src__providers__proxy__proxy_init.c new file mode 100644 index 000000000000..cbd6a6f2237b --- /dev/null +++ b/security/sssd/files/patch-src__providers__proxy__proxy_init.c @@ -0,0 +1,97 @@ +--- ./src/providers/proxy/proxy_init.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/proxy/proxy_init.c 2011-10-13 12:15:03.000000000 -0400 +@@ -124,7 +124,7 @@ + if (!ctx->handle) { + DEBUG(0, ("Unable to load %s module with path, error: %s\n", + libpath, dlerror())); +- ret = ELIBACC; ++ ret = ENOENT; + goto done; + } + +@@ -132,7 +132,7 @@ + libname); + if (!ctx->ops.getpwnam_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + +@@ -140,14 +140,14 @@ + libname); + if (!ctx->ops.getpwuid_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + + ctx->ops.setpwent = proxy_dlsym(ctx->handle, "_nss_%s_setpwent", libname); + if (!ctx->ops.setpwent) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + +@@ -155,14 +155,14 @@ + libname); + if (!ctx->ops.getpwent_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + + ctx->ops.endpwent = proxy_dlsym(ctx->handle, "_nss_%s_endpwent", libname); + if (!ctx->ops.endpwent) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + +@@ -170,7 +170,7 @@ + libname); + if (!ctx->ops.getgrnam_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + +@@ -178,14 +178,14 @@ + libname); + if (!ctx->ops.getgrgid_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + + ctx->ops.setgrent = proxy_dlsym(ctx->handle, "_nss_%s_setgrent", libname); + if (!ctx->ops.setgrent) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + +@@ -193,14 +193,14 @@ + libname); + if (!ctx->ops.getgrent_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + + ctx->ops.endgrent = proxy_dlsym(ctx->handle, "_nss_%s_endgrent", libname); + if (!ctx->ops.endgrent) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + diff --git a/security/sssd/files/patch-src__resolv__async_resolv.c b/security/sssd/files/patch-src__resolv__async_resolv.c new file mode 100644 index 000000000000..ab308eb302c4 --- /dev/null +++ b/security/sssd/files/patch-src__resolv__async_resolv.c @@ -0,0 +1,19 @@ +--- ./src/resolv/async_resolv.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/resolv/async_resolv.c 2011-10-13 12:15:03.000000000 -0400 +@@ -1073,7 +1073,6 @@ + hints.ai_flags = AI_NUMERICHOST; /* No network lookups */ + + ret = getaddrinfo(name, NULL, &hints, &res); +- freeaddrinfo(res); + if (ret != 0) { + if (ret == -2) { + DEBUG(9, ("[%s] does not look like an IP address\n", name)); +@@ -1081,6 +1080,8 @@ + DEBUG(2, ("getaddrinfo failed [%d]: %s\n", + ret, gai_strerror(ret))); + } ++ } else { ++ freeaddrinfo(res); + } + + return ret == 0; diff --git a/security/sssd/files/patch-src__responder__common__responder_common.c b/security/sssd/files/patch-src__responder__common__responder_common.c new file mode 100644 index 000000000000..9a60b2b5aa47 --- /dev/null +++ b/security/sssd/files/patch-src__responder__common__responder_common.c @@ -0,0 +1,11 @@ +--- ./src/responder/common/responder_common.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/responder/common/responder_common.c 2011-10-13 12:15:03.000000000 -0400 +@@ -195,7 +195,7 @@ + talloc_free(cctx); + break; + +- case ENODATA: ++ case ECONNRESET: + DEBUG(5, ("Client disconnected!\n")); + talloc_free(cctx); + break; diff --git a/security/sssd/files/patch-src__responder__common__responder_dp.c b/security/sssd/files/patch-src__responder__common__responder_dp.c new file mode 100644 index 000000000000..a8c08ff19374 --- /dev/null +++ b/security/sssd/files/patch-src__responder__common__responder_dp.c @@ -0,0 +1,20 @@ +--- ./src/responder/common/responder_dp.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/responder/common/responder_dp.c 2011-10-13 12:15:03.000000000 -0400 +@@ -210,7 +210,7 @@ + &sdp_req->err_min, + &sdp_req->err_msg); + if (ret != EOK) { +- if (ret == ETIME) { ++ if (ret == ETIMEDOUT) { + sdp_req->err_maj = DP_ERR_TIMEOUT; + sdp_req->err_min = ret; + sdp_req->err_msg = talloc_strdup(sdp_req, "Request timed out"); +@@ -569,7 +569,7 @@ + case DBUS_MESSAGE_TYPE_ERROR: + if (strcmp(dbus_message_get_error_name(reply), + DBUS_ERROR_NO_REPLY) == 0) { +- err = ETIME; ++ err = ETIMEDOUT; + goto done; + } + DEBUG(0,("The Data Provider returned an error [%s]\n", diff --git a/security/sssd/files/patch-src__responder__common__responder_packet.c b/security/sssd/files/patch-src__responder__common__responder_packet.c new file mode 100644 index 000000000000..30cf77c17248 --- /dev/null +++ b/security/sssd/files/patch-src__responder__common__responder_packet.c @@ -0,0 +1,11 @@ +--- ./src/responder/common/responder_packet.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/responder/common/responder_packet.c 2011-10-13 12:15:03.000000000 -0400 +@@ -192,7 +192,7 @@ + } + + if (rb == 0) { +- return ENODATA; ++ return ECONNRESET; + } + + if (*packet->len > packet->memsize) { diff --git a/security/sssd/files/patch-src__sss_client__common.c b/security/sssd/files/patch-src__sss_client__common.c new file mode 100644 index 000000000000..b5afcd3a3c99 --- /dev/null +++ b/security/sssd/files/patch-src__sss_client__common.c @@ -0,0 +1,63 @@ +--- ./src/sss_client/common.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/sss_client/common.c 2011-10-13 12:15:03.000000000 -0400 +@@ -26,6 +26,7 @@ + #include "config.h" + + #include <nss.h> ++#include <nsswitch.h> + #include <security/pam_modules.h> + #include <errno.h> + #include <sys/types.h> +@@ -111,7 +112,6 @@ + *errnop = error; + break; + case 0: +- *errnop = ETIME; + break; + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { +@@ -216,7 +216,6 @@ + *errnop = error; + break; + case 0: +- *errnop = ETIME; + break; + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { +@@ -638,7 +637,6 @@ + *errnop = error; + break; + case 0: +- *errnop = ETIME; + break; + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { +@@ -688,23 +686,23 @@ + /* avoid looping in the nss daemon */ + envval = getenv("_SSS_LOOPS"); + if (envval && strcmp(envval, "NO") == 0) { +- return NSS_STATUS_NOTFOUND; ++ return NS_NOTFOUND; + } + + ret = sss_cli_check_socket(errnop, SSS_NSS_SOCKET_NAME); + if (ret != SSS_STATUS_SUCCESS) { +- return NSS_STATUS_UNAVAIL; ++ return NS_UNAVAIL; + } + + ret = sss_cli_make_request_nochecks(cmd, rd, repbuf, replen, errnop); + switch (ret) { + case SSS_STATUS_TRYAGAIN: +- return NSS_STATUS_TRYAGAIN; ++ return NS_TRYAGAIN; + case SSS_STATUS_SUCCESS: +- return NSS_STATUS_SUCCESS; ++ return NS_SUCCESS; + case SSS_STATUS_UNAVAIL: + default: +- return NSS_STATUS_UNAVAIL; ++ return NS_UNAVAIL; + } + } + diff --git a/security/sssd/files/patch-src__sss_client__nss_group.c b/security/sssd/files/patch-src__sss_client__nss_group.c new file mode 100644 index 000000000000..5ba574b5b2d5 --- /dev/null +++ b/security/sssd/files/patch-src__sss_client__nss_group.c @@ -0,0 +1,80 @@ +--- ./src/sss_client/nss_group.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/sss_client/nss_group.c 2011-10-13 12:15:03.000000000 -0400 +@@ -248,6 +248,77 @@ + } + + ++#define MIN(a, b)((a) < (b) ? (a) : (b)) ++ ++gr_addgid(gid_t gid, gid_t *groups, int maxgrp, int *grpcnt) ++{ ++ int ret, dupc; ++ ++ for (dupc = 0; dupc < MIN(maxgrp, *grpcnt); dupc++) { ++ if (groups[dupc] == gid) ++ return 1; ++ } ++ ++ ret = 1; ++ if (*grpcnt < maxgrp) ++ groups[*grpcnt] = gid; ++ else ++ ret = 0; ++ ++ (*grpcnt)++; ++ ++ return ret; ++} ++ ++enum nss_status _nss_sss_getgroupmembership(const char *uname, gid_t agroup, gid_t *groups, ++ int maxgrp, int *grpcnt) ++{ ++ struct sss_cli_req_data rd; ++ uint8_t *repbuf; ++ size_t replen; ++ enum nss_status nret; ++ uint32_t *rbuf; ++ uint32_t num_ret; ++ long int l, max_ret; ++ int errnop; ++ ++ rd.len = strlen(uname) +1; ++ rd.data = uname; ++ ++ sss_nss_lock(); ++ ++ nret = sss_nss_make_request(SSS_NSS_INITGR, &rd, ++ &repbuf, &replen, &errnop); ++ if (nret != NSS_STATUS_SUCCESS) { ++ goto out; ++ } ++ ++ /* no results if not found */ ++ num_ret = ((uint32_t *)repbuf)[0]; ++ if (num_ret == 0) { ++ free(repbuf); ++ nret = NSS_STATUS_NOTFOUND; ++ goto out; ++ } ++ max_ret = num_ret; ++ ++ gr_addgid(agroup, groups, maxgrp, grpcnt); ++ ++ rbuf = &((uint32_t *)repbuf)[2]; ++ for (l = 0; l < max_ret; l++) { ++ gr_addgid(rbuf[l], groups, maxgrp, grpcnt); ++ } ++ ++ free(repbuf); ++ nret = NSS_STATUS_SUCCESS; ++ ++out: ++ sss_nss_unlock(); ++ return nret; ++ ++ ++} ++ + enum nss_status _nss_sss_getgrnam_r(const char *name, struct group *result, + char *buffer, size_t buflen, int *errnop) + { diff --git a/security/sssd/files/patch-src__sss_client__pam_test_client.c b/security/sssd/files/patch-src__sss_client__pam_test_client.c new file mode 100644 index 000000000000..106919e56436 --- /dev/null +++ b/security/sssd/files/patch-src__sss_client__pam_test_client.c @@ -0,0 +1,18 @@ +--- ./src/sss_client/pam_test_client.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/sss_client/pam_test_client.c 2011-10-13 12:15:03.000000000 -0400 +@@ -24,12 +24,13 @@ + + #include <stdio.h> + #include <unistd.h> ++#include <string.h> + + #include <security/pam_appl.h> +-#include <security/pam_misc.h> ++#include <security/openpam.h> + + static struct pam_conv conv = { +- misc_conv, ++ openpam_ttyconv, + NULL + }; + diff --git a/security/sssd/files/patch-src__sss_client__sss_nss.exports b/security/sssd/files/patch-src__sss_client__sss_nss.exports new file mode 100644 index 000000000000..8ee95e4e0873 --- /dev/null +++ b/security/sssd/files/patch-src__sss_client__sss_nss.exports @@ -0,0 +1,36 @@ +--- ./src/sss_client/sss_nss.exports.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/sss_client/sss_nss.exports 2011-10-13 12:13:42.000000000 -0400 +@@ -3,6 +3,7 @@ + # public functions + global: + ++ nss_module_register; + _nss_sss_getpwnam_r; + _nss_sss_getpwuid_r; + _nss_sss_setpwent; +@@ -14,8 +15,25 @@ + _nss_sss_setgrent; + _nss_sss_getgrent_r; + _nss_sss_endgrent; ++ _nss_sss_getgroupmembership; + _nss_sss_initgroups_dyn; + ++ __nss_compat_getgrnam_r; ++ __nss_compat_getgrgid_r; ++ __nss_compat_getgrent_r; ++ __nss_compat_setgrent; ++ __nss_compat_endgrent; ++ ++ __nss_compat_getpwnam_r; ++ __nss_compat_getpwuid_r; ++ __nss_compat_getpwent_r; ++ __nss_compat_setpwent; ++ __nss_compat_endpwent; ++ ++ __nss_compat_gethostbyname; ++ __nss_compat_gethostbyname2; ++ __nss_compat_gethostbyaddr; ++ + #_nss_sss_getaliasbyname_r; + #_nss_sss_setaliasent; + #_nss_sss_getaliasent_r; diff --git a/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c b/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c new file mode 100644 index 000000000000..ce04ffd86db6 --- /dev/null +++ b/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c @@ -0,0 +1,20 @@ +--- ./src/util/crypto/libcrypto/crypto_sha512crypt.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/crypto/libcrypto/crypto_sha512crypt.c 2011-10-13 12:15:03.000000000 -0400 +@@ -265,7 +265,7 @@ + goto done; + } + +- cp = __stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); ++ cp = stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); + buflen -= SALT_PREF_SIZE; + + if (rounds_custom) { +@@ -283,7 +283,7 @@ + ret = ERANGE; + goto done; + } +- cp = __stpncpy(cp, salt, salt_len); ++ cp = stpncpy(cp, salt, salt_len); + *cp++ = '$'; + buflen -= salt_len + 1; + diff --git a/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c b/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c new file mode 100644 index 000000000000..12631e967506 --- /dev/null +++ b/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c @@ -0,0 +1,29 @@ +--- ./src/util/crypto/nss/nss_sha512crypt.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/crypto/nss/nss_sha512crypt.c 2011-10-13 12:15:03.000000000 -0400 +@@ -10,7 +10,7 @@ + + #include "config.h" + +-#include <endian.h> ++#include <sys/endian.h> + #include <errno.h> + #include <limits.h> + #include <stdbool.h> +@@ -267,7 +267,7 @@ + goto done; + } + +- cp = __stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); ++ cp = stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); + buflen -= SALT_PREF_SIZE; + + if (rounds_custom) { +@@ -285,7 +285,7 @@ + ret = ERANGE; + goto done; + } +- cp = __stpncpy(cp, salt, salt_len); ++ cp = stpncpy(cp, salt, salt_len); + *cp++ = '$'; + buflen -= salt_len + 1; + diff --git a/security/sssd/files/patch-src__util__find_uid.c b/security/sssd/files/patch-src__util__find_uid.c new file mode 100644 index 000000000000..1b518d45a885 --- /dev/null +++ b/security/sssd/files/patch-src__util__find_uid.c @@ -0,0 +1,31 @@ +--- ./src/util/find_uid.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/find_uid.c 2011-10-13 12:15:03.000000000 -0400 +@@ -67,7 +67,7 @@ + uint32_t num=0; + errno_t error; + +- ret = snprintf(path, PATHLEN, "/proc/%d/status", pid); ++ ret = snprintf(path, PATHLEN, "/compat/linux/proc/%d/status", pid); + if (ret < 0) { + DEBUG(1, ("snprintf failed")); + return EINVAL; +@@ -204,7 +204,7 @@ + hash_key_t key; + hash_value_t value; + +- proc_dir = opendir("/proc"); ++ proc_dir = opendir("/compat/linux/proc"); + if (proc_dir == NULL) { + ret = errno; + DEBUG(1, ("Cannot open proc dir.\n")); +@@ -278,9 +278,8 @@ + + errno_t get_uid_table(TALLOC_CTX *mem_ctx, hash_table_t **table) + { +-#ifdef __linux__ + int ret; +- ++#if 1 + ret = hash_create_ex(INITIAL_TABLE_SIZE, table, 0, 0, 0, 0, + hash_talloc, hash_talloc_free, mem_ctx, + NULL, NULL); diff --git a/security/sssd/files/patch-src__util__server.c b/security/sssd/files/patch-src__util__server.c new file mode 100644 index 000000000000..8d37670929f0 --- /dev/null +++ b/security/sssd/files/patch-src__util__server.c @@ -0,0 +1,22 @@ +--- ./src/util/server.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/server.c 2011-10-13 12:15:03.000000000 -0400 +@@ -296,14 +296,15 @@ + BlockSignals(false, SIGTERM); + + CatchSignal(SIGHUP, sig_hup); +- + #ifndef HAVE_PRCTL + /* If prctl is not defined on the system, try to handle + * some common termination signals gracefully */ +- CatchSignal(SIGSEGV, sig_segv_abrt); +- CatchSignal(SIGABRT, sig_segv_abrt); ++ /* ++ CatchSignal(SIGSEGV, sig_segv_abrt); ++ CatchSignal(SIGABRT, sig_segv_abrt); ++ */ + #endif +- ++ + } + + /* diff --git a/security/sssd/files/patch-src__util__sss_krb5.c b/security/sssd/files/patch-src__util__sss_krb5.c new file mode 100644 index 000000000000..d0403d313f4d --- /dev/null +++ b/security/sssd/files/patch-src__util__sss_krb5.c @@ -0,0 +1,58 @@ +--- ./src/util/sss_krb5.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/sss_krb5.c 2011-10-13 12:15:03.000000000 -0400 +@@ -165,8 +165,8 @@ + + if (_realm) { + *_realm = talloc_asprintf(mem_ctx, "%.*s", +- krb5_princ_realm(ctx, client_princ)->length, +- krb5_princ_realm(ctx, client_princ)->data); ++ krb5_realm_length(krb5_princ_realm(krb_ctx, client_princ)), ++ krb5_princ_realm(krb_ctx, client_princ)); + if (!*_realm) { + DEBUG(1, ("talloc_asprintf failed")); + if (_principal) talloc_zfree(*_principal); +@@ -243,7 +243,7 @@ + } + + realm_name = talloc_strdup(tmp_ctx, default_realm); +- krb5_free_default_realm(context, default_realm); ++ free(default_realm); + if (!realm_name) { + ret = ENOMEM; + goto done; +@@ -322,7 +322,7 @@ + found = true; + } + free(kt_principal); +- krberr = krb5_free_keytab_entry_contents(context, &entry); ++ krberr = krb5_kt_free_entry(context, &entry); + if (krberr) { + /* This should never happen. The API docs for this function + * specify only success for this function +@@ -466,7 +466,7 @@ + break; + } + +- kerr = krb5_free_keytab_entry_contents(ctx, &entry); ++ kerr = krb5_kt_free_entry(ctx, &entry); + if (kerr != 0) { + DEBUG(1, ("Failed to free keytab entry.\n")); + } +@@ -504,7 +504,7 @@ + kerr = 0; + + done: +- kerr_d = krb5_free_keytab_entry_contents(ctx, &entry); ++ kerr_d = krb5_kt_free_entry(ctx, &entry); + if (kerr_d != 0) { + DEBUG(1, ("Failed to free keytab entry.\n")); + } +@@ -540,7 +540,7 @@ + void KRB5_CALLCONV sss_krb5_free_error_message(krb5_context ctx, const char *s) + { + #ifdef HAVE_KRB5_GET_ERROR_MESSAGE +- krb5_free_error_message(ctx, s); ++ free(s); + #else + free(s); + #endif diff --git a/security/sssd/files/patch-src__util__sss_krb5.h b/security/sssd/files/patch-src__util__sss_krb5.h new file mode 100644 index 000000000000..2e028c3c4bd6 --- /dev/null +++ b/security/sssd/files/patch-src__util__sss_krb5.h @@ -0,0 +1,11 @@ +--- ./src/util/sss_krb5.h.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/sss_krb5.h 2011-10-13 12:15:09.000000000 -0400 +@@ -34,6 +34,8 @@ + + #include "util/util.h" + ++#define KRB5_CALLCONV ++ + const char * KRB5_CALLCONV sss_krb5_get_error_message (krb5_context, + krb5_error_code); + diff --git a/security/sssd/files/patch-src__util__sss_ldap.c b/security/sssd/files/patch-src__util__sss_ldap.c new file mode 100644 index 000000000000..290a931692e3 --- /dev/null +++ b/security/sssd/files/patch-src__util__sss_ldap.c @@ -0,0 +1,20 @@ +--- ./src/util/sss_ldap.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/sss_ldap.c 2011-10-13 12:15:03.000000000 -0400 +@@ -267,7 +267,7 @@ + strerror(ret))); + } + +- ret = setsockopt(fd, SOL_TCP, TCP_NODELAY, &dummy, sizeof(dummy)); ++ ret = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &dummy, sizeof(dummy)); + if (ret != 0) { + ret = errno; + DEBUG(5, ("setsockopt TCP_NODELAY failed.[%d][%s].\n", ret, +@@ -340,7 +340,7 @@ + DEBUG(9, ("Using file descriptor [%d] for LDAP connection.\n", state->sd)); + + subreq = sdap_async_sys_connect_send(state, ev, state->sd, +- (struct sockaddr *) addr, addr_len); ++ (struct sockaddr *) addr, sizeof(struct sockaddr)); + if (subreq == NULL) { + ret = ENOMEM; + DEBUG(1, ("sdap_async_sys_connect_send failed.\n")); diff --git a/security/sssd/files/patch-src__util__util.c b/security/sssd/files/patch-src__util__util.c new file mode 100644 index 000000000000..f421e6da53fd --- /dev/null +++ b/security/sssd/files/patch-src__util__util.c @@ -0,0 +1,10 @@ +--- ./src/util/util.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/util.c 2011-10-13 12:15:03.000000000 -0400 +@@ -18,6 +18,7 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/socket.h> + #include <ctype.h> + #include <netdb.h> + diff --git a/security/sssd/files/sssd.in b/security/sssd/files/sssd.in new file mode 100644 index 000000000000..23596ffb19a5 --- /dev/null +++ b/security/sssd/files/sssd.in @@ -0,0 +1,32 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: sssd +# REQUIRE: DAEMON +# BEFORE: LOGIN +# KEYWORD: shutdown + +# Add the following lines to /etc/rc.conf to enable `sssd': +# +# sssd_enable="YES" +# +# See sssd(8) for sssd_flags +# + +. /etc/rc.subr + +name="sssd" +rcvar=`set_rcvar` + +command="%%PREFIX%%/sbin/$name" +sssd_flags="-D" +pidfile="/var/run/$name.pid" +required_files="%%PREFIX%%/etc/$name/$name.conf" + +# read configuration and set defaults +load_rc_config "$name" +: ${sssd_enable="NO"} + +run_rc_command "$1" diff --git a/security/sssd/pkg-descr b/security/sssd/pkg-descr new file mode 100644 index 000000000000..526c666af2fc --- /dev/null +++ b/security/sssd/pkg-descr @@ -0,0 +1,9 @@ +This project provides a set of daemons to manage access to remote +directories and authentication mechanisms, it provides an NSS and +PAM interface toward the system and a pluggable backend system to +connect to multiple different account sources. It is also the +basis to provide client auditing and policy services for projects +like FreeIPA. sssd also features caching, which can allow for +offline use to assist laptop users. + +WWW: https://fedorahosted.org/sssd/ diff --git a/security/sssd/pkg-message b/security/sssd/pkg-message new file mode 100644 index 000000000000..1b06ff5ba86b --- /dev/null +++ b/security/sssd/pkg-message @@ -0,0 +1,21 @@ +================================================================================ +Copy %%PREFIX%%/etc/sssd/sssd.conf.sample to %%PREFIX%%/etc/sssd/sssd.conf +and edit %%PREFIX%%/etc/sssd/sssd.conf (see man sssd.conf for details) + +To load sssd at startup, add sssd_enable="YES" to /etc/rc.conf + +To enable pam integration, add a line similar to the following to +/etc/pam.d/system: + +login auth sufficient %%PREFIX%%/lib/pam_sss.so + +To enable NSS integration, update /etc/nsswitch.conf as follows: + +group: sss files +passwd: sss files + +For additional details, please see the man pages for pam.conf and nsswitch.conf + +An sssd HOWTO is also available: +https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 +================================================================================ diff --git a/security/sssd/pkg-plist b/security/sssd/pkg-plist new file mode 100644 index 000000000000..f7664573ff55 --- /dev/null +++ b/security/sssd/pkg-plist @@ -0,0 +1,84 @@ +share/locale/zh_TW/LC_MESSAGES/sssd.mo +share/locale/uk/LC_MESSAGES/sssd.mo +share/locale/sv/LC_MESSAGES/sssd.mo +share/locale/ru/LC_MESSAGES/sssd.mo +share/locale/pt/LC_MESSAGES/sssd.mo +share/locale/pl/LC_MESSAGES/sssd.mo +share/locale/nl/LC_MESSAGES/sssd.mo +share/locale/ja/LC_MESSAGES/sssd.mo +share/locale/it/LC_MESSAGES/sssd.mo +share/locale/id/LC_MESSAGES/sssd.mo +share/locale/fr/LC_MESSAGES/sssd.mo +share/locale/es/LC_MESSAGES/sssd.mo +share/locale/de/LC_MESSAGES/sssd.mo +sbin/sssd +sbin/sss_usermod +sbin/sss_userdel +sbin/sss_useradd +sbin/sss_obfuscate +sbin/sss_groupshow +sbin/sss_groupmod +sbin/sss_groupdel +sbin/sss_groupadd +sbin/sss_cache +libexec/sssd/sssd_pam +libexec/sssd/sssd_nss +libexec/sssd/sssd_be +libexec/sssd/proxy_child +libexec/sssd/ldap_child +libexec/sssd/krb5_child +libdata/pkgconfig/ipa_hbac.pc +lib/sssd/libsss_simple.so +lib/sssd/libsss_simple.la +lib/sssd/libsss_proxy.so +lib/sssd/libsss_proxy.la +lib/sssd/libsss_ldap.so +lib/sssd/libsss_ldap.la +lib/sssd/libsss_krb5.so +lib/sssd/libsss_krb5.la +lib/sssd/libsss_ipa.so +lib/sssd/libsss_ipa.la +lib/pam_sss.so.5 +lib/pam_sss.so +lib/pam_sss.la +lib/nss_sss.so.2 +lib/nss_sss.so.1 +lib/nss_sss.so +lib/nss_sss.la +lib/libipa_hbac.so.0 +lib/libipa_hbac.so +lib/libipa_hbac.la +lib/ldb/memberof.so +lib/%%PYTHON_VERSION%%/site-packages/sssd_upgrade_config.pyc +lib/%%PYTHON_VERSION%%/site-packages/sssd_upgrade_config.py +lib/%%PYTHON_VERSION%%/site-packages/pysss.so +lib/%%PYTHON_VERSION%%/site-packages/pysss.la +lib/%%PYTHON_VERSION%%/site-packages/pyhbac.so +lib/%%PYTHON_VERSION%%/site-packages/pyhbac.la +lib/%%PYTHON_VERSION%%/site-packages/ipachangeconf.pyc +lib/%%PYTHON_VERSION%%/site-packages/ipachangeconf.py +lib/%%PYTHON_VERSION%%/site-packages/SSSDConfig.pyc +lib/%%PYTHON_VERSION%%/site-packages/SSSDConfig.py +lib/%%PYTHON_VERSION%%/site-packages/SSSDConfig-1-py2.7.egg-info +include/ipa_hbac.h +etc/sssd/sssd.api.d/sssd-simple.conf +etc/sssd/sssd.api.d/sssd-proxy.conf +etc/sssd/sssd.api.d/sssd-local.conf +etc/sssd/sssd.api.d/sssd-ldap.conf +etc/sssd/sssd.api.d/sssd-krb5.conf +etc/sssd/sssd.api.d/sssd-ipa.conf +etc/sssd/sssd.api.conf +etc/sssd/sssd.conf.sample +@dirrmtry lib/pkgconfig +@dirrmtry lib/ldb +@dirrmtry etc/sssd/sssd.api.d +@dirrmtry etc/sssd +@dirrm share/sssd/introspect +@dirrm share/sssd +@dirrm libexec/sssd +@dirrm lib/sssd +@unexec if cmp -s %D/etc/sssd/sssd.conf.sample %D/etc/sssd/sssd.conf; then rm -f %D/etc/sssd/sssd.conf; fi +@exec if [ ! -f %D/etc/sssd/sssd.conf ]; then cp -p %D/%F %B/sssd.conf; fi +@unexec if [ -d %%ETCDIR%% ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf %%ETCDIR%%`` to remove any configuration files."; fi +@unexec if [ -d /var/db/sss ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf /var/db/sss`` to remove any additional files."; fi +@unexec if [ -d /var/run/sss ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf /var/run/sss`` to remove any additional files."; fi |